What is an access request?
Under the EU General Data Protection Regulation (GDPR) employees have rights to access and receive a copy of all the personal data that the company holds on them. Companies can be fined up to 4 per cent of their global turnover for breaching the GDPR.
A data subject access request is a right to access personal data under article 15 of the GDPR.
What kind of information can be personal data?
Personal data can come in various forms. It includes any information relating to an identified or identifiable natural person (data subject). For example, David works as a manager at a local law firm. He has been there for 15 years and the company holds a lot of David’s personal data, including:
- his name and address;
- location data relating to David;
- information about his performance at work;
- opinions about David expressed by his colleagues in emails;
- David’s sickness record;
- CCTV footage of David entering and leaving the building;
- call records of conversations David has had with human resources; and
- details of David’s browsing history at work.
David is entitled to access and receive a copy of his personal data.
Why are access requests so difficult?
There are several reasons that employee data subject access requests can be complex and difficult:
- The sheer volume of personal data: employers can accumulate vast quantities of personal data on employees over the years. In one access request that ended up in court, the employer had to review 500,000 emails when dealing with the employee’s access request.
- The expense: employee access requests can be expensive. In the above case, the cost of providing access to the employee’s data for that one employee was £116,116.
- The emotion: employees rarely make access requests when the employment relationship is going well, and the emotional element to the case can add an extra layer of complexity.
- Legal issues: often, when an employee is making an access request they may be considering (or may have already started) a legal action against the employer. This can add yet more complexity to the access request.
Tips on dealing with requests
The rules on access requests under the GDPR have high expectations. They expect that you can provide the data on a particular employee within one month.
There are three steps you can take to ensure employee access requests are dealt with properly within your company:
1. Stay on top of records management: companies must ensure that employee records and data are subject to deletion time limits so you have less to look for if you do receive an access request from an employee.
2. Put a written procedure in place: this is an instruction manual on how your company will deal with employee access requests. The procedure for dealing with access requests should include:
- details on how employees can make an access request;
- how the company should search for the data; and
- how the data is reviewed before it is sent out.
3. Train, train, train: many of your HR staff will interact with employees directly. Would each of those staff members know what to do if an employee said to them: ‘I want a copy of my data,’ or: ‘I want to access all my data’? They should know because that employee has just made an access request, and the clock is now ticking. All relevant HR staff should have some training on access requests.
Patrick O’Kane is an in-house barrister and head of privacy at a Fortune 500 company in London